Merge remote-tracking branch 'ni/master'

6 files changed, 65 insertions, 12 deletions

diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 38cc828b..7c176d22 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -12,6 +12,8 @@ let
   api = {
     enable = mkEnableOption "krebs.exim-smarthost";
 
+    enableSPFVerification = mkEnableOption "SPF verification";
+
     authenticators = mkOption {
       type = types.attrsOf types.str;
       default = {};
@@ -126,8 +128,9 @@ let
         domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains}
         hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts}
 
-        acl_smtp_rcpt = acl_check_rcpt
         acl_smtp_data = acl_check_data
+        acl_smtp_mail = acl_check_mail
+        acl_smtp_rcpt = acl_check_rcpt
 
         never_users = root
 
@@ -179,6 +182,41 @@ let
 
           accept
 
+        acl_check_mail:
+          ${if cfg.enableSPFVerification then indent /* exim */ ''
+            accept
+              authenticated = *
+            accept
+              hosts = +relay_from_hosts
+            deny
+              spf = fail : softfail
+              log_message = spf=$spf_result
+              message = SPF validation failed: \
+                      $sender_host_address is not allowed to send mail from \
+                      ''${if def:sender_address_domain\
+                             {$sender_address_domain}\
+                             {$sender_helo_name}}
+            deny
+              spf = permerror
+              log_message = spf=$spf_result
+              message = SPF validation failed: \
+                      syntax error in SPF record(s) for \
+                      ''${if def:sender_address_domain\
+                             {$sender_address_domain}\
+                             {$sender_helo_name}}
+            defer
+              spf = temperror
+              log_message = spf=$spf_result; deferred
+              message = temporary error during SPF validation; \
+                      please try again later
+            warn
+              spf = none : neutral
+              log_message = spf=$spf_result
+            accept
+              add_header = $spf_received
+          '' else indent /* exim */ ''
+            accept
+          ''}
 
         begin routers
 
diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix
index 375e2697..1e7e6992 100644
--- a/krebs/3modules/htgen.nix
+++ b/krebs/3modules/htgen.nix
@@ -2,6 +2,12 @@
 
 with import <stockholm/lib>;
 let
+  optionalAttr = name: value:
+    if name != null then
+      { ${name} = value; }
+    else
+      {};
+
   cfg = config.krebs.htgen;
 
   out = {
@@ -30,8 +36,15 @@ let
         };
 
         script = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
+          default = null;
+        };
+
+        scriptFile = mkOption {
+          type = types.nullOr types.str;
+          default = null;
         };
+
         user = mkOption {
           type = types.user;
           default = {
@@ -54,8 +67,10 @@ let
         after = [ "network.target" ];
         environment = {
           HTGEN_PORT = toString htgen.port;
-          HTGEN_SCRIPT = htgen.script;
-        };
+        }
+        // optionalAttr "HTGEN_SCRIPT" htgen.script
+        // optionalAttr "HTGEN_SCRIPT_FILE" htgen.scriptFile
+        ;
         serviceConfig = {
           SyslogIdentifier = "htgen";
           User = htgen.user.name;
diff --git a/krebs/5pkgs/simple/htgen/default.nix b/krebs/5pkgs/simple/htgen/default.nix
index 14b6f4c5..1ee13783 100644
--- a/krebs/5pkgs/simple/htgen/default.nix
+++ b/krebs/5pkgs/simple/htgen/default.nix
@@ -1,13 +1,12 @@
 { fetchgit, lib, pkgs, stdenv }:
 stdenv.mkDerivation rec {
   pname = "htgen";
-  version = "1.3.1";
+  version = "1.4.0";
 
-  #src = <htgen>;
   src = fetchgit {
-    url = "http://cgit.krebsco.de/htgen";
+    url = "https://cgit.krebsco.de/htgen";
     rev = "refs/tags/${version}";
-    sha256 = "0ml8kp89bwkrwy6iqclzyhxgv2qn9dcpwaafbmsr4mgcl70zx22r";
+    sha256 = "1k6xdr4g1p2wjiyizwh33ihw3azbar7kmhyxywcq0whpip9inpmj";
   };
 
   installPhase = ''
diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix
index 25e2effb..c3ec7b40 100644
--- a/tv/2configs/hw/x220.nix
+++ b/tv/2configs/hw/x220.nix
@@ -61,6 +61,9 @@ in
     emulateWheel = true;
   };
 
+  # Conflicts with TLP, but gets enabled by DEs.
+  services.power-profiles-daemon.enable = false;
+
   services.tlp.enable = true;
   services.tlp.settings = {
     START_CHARGE_THRESH_BAT0 = 80;
diff --git a/tv/2configs/imgur.nix b/tv/2configs/imgur.nix
index ba84fd2d..1df67f93 100644
--- a/tv/2configs/imgur.nix
+++ b/tv/2configs/imgur.nix
@@ -18,8 +18,6 @@ with import <stockholm/lib>;
 
   krebs.htgen.imgur = {
     port = 7771;
-    script = /* sh */ ''
-      (. ${pkgs.htgen-imgur}/bin/htgen-imgur)
-    '';
+    scriptFile = "${pkgs.htgen-imgur}/bin/htgen-imgur";
   };
 }
diff --git a/tv/5pkgs/simple/imagescan-plugin-networkscan.nix b/tv/5pkgs/simple/imagescan-plugin-networkscan.nix
index c3f2deac..4f9b84b2 100644
--- a/tv/5pkgs/simple/imagescan-plugin-networkscan.nix
+++ b/tv/5pkgs/simple/imagescan-plugin-networkscan.nix
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
 
   preFixup = ''
     patchelf --set-interpreter \
-        ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 \
+        ${pkgs.pkgsi686Linux.glibc}/lib/ld-linux-x86-64.so.2 \
         $out/lib/utsushi/networkscan
 
     # libstdc++.so.6